Privacy Policy
Last updated: 2026-02-23
1. Introduction
Trolley Trekka (“we”, “our”, or “us”) is committed to protecting your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) of South Africa and, where applicable, the EU General Data Protection Regulation (GDPR).
This Privacy Policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and what rights you have regarding your data.
By creating an account and using Trolley Trekka, you consent to the collection and processing of your personal information as described in this policy. If you do not agree, please do not use our service.
2. Responsible Party (Information Officer)
For the purposes of POPIA, Trolley Trekka is the Responsible Party for personal information processed through this application. For GDPR purposes, we are the Data Controller.
For any privacy-related enquiries, requests, or complaints, please contact our Information Officer at:
Email: privacy@trolley-trekka.co.za
3. Personal Information We Collect
3.1 Account Information
- Email address (required for account creation)
- Full name (optional, used for display purposes)
- Password (stored as a one-way hash; we never have access to your plaintext password)
- Date and time of consent to this Privacy Policy
3.2 Receipt and Purchase Data
- Receipt images you upload (photographs or scans of grocery receipts)
- Store names and purchase dates
- Itemised product names, quantities, and prices
- Total purchase amounts and currency
- Raw text extracted from receipt images via AI processing
3.3 Nutrition and Health Data
- Food group and subgroup classifications of your purchased items
- Dietary balance scores (Plate Scores) derived from your purchase history
- AI-generated dietary recommendations based on your food purchasing patterns
- Manual notes or corrections you make to item classifications
Note: Purchase data may reveal health-related information (e.g., medications, dietary choices). This is treated as sensitive personal information under POPIA and processed with appropriate safeguards.
3.4 Usage and Technical Data
- Number of receipts processed each month (for service limits and billing)
- Subscription tier and status
- IP address (used temporarily for rate limiting; not stored long-term)
3.5 Household Data
If you join or create a household, your receipt data, item purchases, and nutritional information will be visible to all approved members of that household. Each household member consents to this sharing when joining.
4. Lawful Basis for Processing
We process your personal information on the following grounds:
- Consent (POPIA s11(1)(a) / GDPR Art.6(1)(a)): You consent to processing when you create an account and agree to this Privacy Policy. You may withdraw consent at any time by deleting your account.
- Contract (GDPR Art.6(1)(b)): Processing is necessary to provide the Trolley Trekka service you have requested (receipt scanning, analytics, household sharing).
- Legitimate interest (POPIA s11(1)(f) / GDPR Art.6(1)(f)): We maintain usage records for fraud prevention, service abuse detection, and billing audits.
5. How We Use Your Personal Information
- To create and manage your user account
- To extract and analyse data from your receipt images
- To provide spending analytics, nutrition tracking, and dietary insights
- To enable household sharing with members you invite
- To enforce usage limits appropriate to your subscription tier
- To send account-related emails (email verification, password reset) via our authentication provider
- To prevent fraud and abuse of our service
6. Third-Party Sub-Processors
We use the following third-party services to operate Trolley Trekka. These providers process your data as sub-processors under agreements that meet POPIA and GDPR requirements:
Supabase (Database & Authentication)
Stores your account data, receipts, and all application data in a PostgreSQL database. Manages authentication sessions.
OpenAI (AI Receipt Processing)
Your receipt images are sent to OpenAI for text extraction and item classification. This means OpenAI's servers process the content of your receipts. Receipt images may contain sensitive details such as medication names and purchase patterns. OpenAI processes this data under their API terms and does not use API data to train their models by default.
We do not sell your personal information to any third party. We do not use your data for advertising purposes.
7. Cookies
Trolley Trekka uses only essential cookies. Specifically, our authentication provider (Supabase) stores a session token in your browser to keep you logged in. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cookie consent banner is shown because only essential cookies are used.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account & profile data | Until account is deleted |
| Receipts and purchase history | Until you delete them or close your account |
| Receipt images | Until associated receipt is deleted |
| Nutrition classifications & Plate Scores | Until account is deleted |
| AI dietary recommendations (cache) | 6 months from generation, then automatically purged |
| Usage tracking records | 12 months, then automatically purged |
9. Your Rights
Under POPIA and GDPR, you have the following rights regarding your personal information:
- Right of Access (POPIA s23 / GDPR Art.15): Request a copy of all personal information we hold about you. Use the “Download My Data” feature in Account Settings.
- Right to Correction (POPIA s24 / GDPR Art.16): Update your name in Account Settings. Contact us to correct other data.
- Right to Deletion / Erasure (POPIA s24 / GDPR Art.17): Delete your account and all associated data using the “Delete Account” button in Account Settings. This is irreversible.
- Right to Data Portability (GDPR Art.20): Export your data in JSON format via “Download My Data” in Account Settings.
- Right to Object (GDPR Art.21): You may object to processing based on legitimate interest by contacting us.
- Right to Withdraw Consent: Delete your account at any time to withdraw consent and have all your data removed.
To exercise any right not covered by self-service features, contact our Information Officer at privacy@trolley-trekka.co.za. We will respond within 30 days (POPIA) / 1 month (GDPR).
10. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the South African Information Regulator within 72 hours of becoming aware (POPIA s22)
- Notify affected data subjects as soon as reasonably practicable
- Take immediate steps to contain and remediate the breach
11. Security Measures
We implement the following security measures to protect your data:
- All data transmission is encrypted via HTTPS/TLS
- Passwords are hashed using industry-standard algorithms (managed by Supabase)
- Row Level Security (RLS) at the database level ensures users can only access their own data
- API rate limiting prevents brute-force and abuse
- API keys and secrets are stored as server-side environment variables, never exposed to clients
12. Children's Privacy
Trolley Trekka is not intended for use by persons under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.
13. International Data Transfers
Your data may be processed by Supabase and OpenAI on servers located outside South Africa. These transfers are made in accordance with POPIA s72, which permits transfers to countries with adequate protection or where the data subject has consented. By using Trolley Trekka, you consent to these transfers.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice. Continued use of Trolley Trekka after changes constitutes acceptance of the updated policy. The “Last updated” date at the top of this page reflects the most recent revision.
Contact Us
For any privacy questions, data requests, or complaints, contact our Information Officer at privacy@trolley-trekka.co.za.
You also have the right to lodge a complaint with the South African Information Regulator or, for EU residents, with your local Data Protection Authority.